Digital sovereignty might be a political dream. But resilience is not.
According to Statista (2025), the Big Three American cloud providers - AWS, Microsoft and Google - currently hold 62% of the global market share. But with growing geopolitical instability and rising protectionism, companies across Europe are starting to question their dependence on US cloud giants.
One of the major causes for concern is the CLOUD Act, which allows US authorities to access data stored by American tech firms, even if it is physically stored outside the US. That means European company data hosted on US-owned platforms isn’t entirely out of reach for US law enforcement.
Understandably, EU businesses are growing wary. There’s concern about potential misuse of the CLOUD Act, or worse, a complete shutdown from the American side. In response, over 100 organizations have signed an open letter urging European officials to push for greater technological independence.
Security wake-up call
To address growing risks, the EU has passed the Cyber Resilience Act (CRA). This regulation requires companies to fulfill mandatory cybersecurity requirements throughout the entire lifecycle of their products. The goal is to hold vendors accountable and to give buyers confidence that CE-marked products meet a trustworthy cybersecurity standard.
At KubeCon + CloudNativeCon Europe 2025, security and resilience were among the most pressing topics. Speakers warned that there’s currently “too little choice in the market, and too much power concentrated in too few hands”.
Digital sovereignty: Ambition or Illusion?
Digital sovereignty is a powerful idea: the ability to have control over your data, hardware, and software. As for Cloud sovereignty, it’s about having control, ownership, and jurisdiction over your data and infrastructure. No external dependencies. No foreign jurisdiction. Total autonomy.
At KubeCon, data sovereignty also took the main stage. Speakers and analysts warned about the dangers of single-provider dependency and advised a strong push toward open-source technologies to avoid vendor lock-in and retain control.
New European projects are starting to emerge in an effort to build sovereignty, such as NeoNephos. This project brings together cloud-native experts, developers, and providers to build a sovereign cloud infrastructure in Europe.
But full digital sovereignty is extremely difficult to achieve in practice. As noble as it sounds, full digital sovereignty is still a political dream. We’re part of a global supply chain, most foundational software libraries are maintained in the US or China, and for now, Europe’s cloud ecosystem is still working to match some capabilities of the US hyperscalers.
So yes, sovereignty is a goal worth working towards. But for most companies, it’s not achievable in the short term. It’s a political vision, but not a practical blueprint (yet). The pragmatic solution now is resilience.
Resilience - the pragmatic next step
While full digital sovereignty might remain an ambition, resilience is something we can actually build today.
Resilience means having options. It means designing cloud architectures that include US hyperscalers, European cloud providers, and private cloud environments. Instead of relying on a single provider, companies should think in terms of redundancy, portability, and failover.
We can think of US clouds like electricity: we still use them, but we shouldn’t rely on just one grid. We need backups in place so we’re not left in the dark when something breaks. In cloud terms, that means running critical workloads across private environments, sovereign platforms, and multi-cloud setups that let you “hot-swap” between providers when needed.
This is the core of a Second Platform Strategy: not cutting ties with US providers, but reducing risk through diversity, flexibility, and control. By building resilience into the architecture itself, companies can stay operational, no matter what the political or regulatory climate throws at them.
Looking ahead
As the cloud-native ecosystem matures, resilience will become the new default. That means:
- Prioritizing Zero Trust architecture.
- Diversifying supply chains and infrastructure locations.
- Using open-source.
The road to digital sovereignty is long. But resilience is something we can build now.
For companies looking to take back control of their cloud environments, solutions like Kubermatic Cloud Stack (KCS) and Kubermatic Developer Platform (KDP) offer a powerful alternative. With KCS, organizations can build and manage their own private cloud infrastructure entirely with Kubernetes. It’s a strong fit for companies handling sensitive data, offering greater flexibility and helping ease privacy concerns.
